CLICK HERE.exe
SQL Injections Security Meetup
Month 1 of 12 (January) • This month: SQL Injections • Next month: XSS / CSRF • Meetup Group for times/dates
Plan of Attack • History of SQL • Basic Injections • Protections • Advanced Injections • Tips and Fun
Who are you? • Connor Tumbleson • Sourcetoad Engineer • Apktool - RE Tool • @iBotPeaches
1970: SEQUEL is born • IBM introduced. • Invented — all data is related. • Went public a few years later. • The language was known as SQL • S tructured Q uery L anguage
SQL: Syntax • Clauses - actions • Expressions - scalars / arrays • Predicates - conditions • Queries - retrieve by condition • Statements - modifying by condition
With a 1999 Database
Login Page
Succesful Login
A Basic Query SELECT * FROM users WHERE username=‘user’ AND password=‘connor’
Lets try the “Admin” account
Lets try the “Admin” account
A Basic Injected Query SELECT * FROM users WHERE username=‘admin’ AND password=‘ ’ OR '1'='1' # ’
A Basic Injected Query Explained • End the existing blob • Add a logic gate (OR) • Pass the logic gate • Comment out rest of query SELECT * FROM users WHERE username=‘admin’ AND password=‘ ’ OR '1'='1' # ’
Succesful Login :)
Too easy right? Well the world updated • Prepared Statements (preferred) • Stored Procedures (ew) • Whitelist (not feasible) • Escaping (cat n mouse)
SQL Protections: Escaping • What do you escape?
SQL Protections: Danger of Escaping • Unicode • Implicit Conversion
Escaping - XKCD Credit to XKCD
SQL Protections: Whitelists • Not feasible • Ordering • Filtering • Searching ( 😖 )
SQL Protections: Stored Procedures • Moves logic into DB • If done right, could work • Dynamic generation could be bad • Opinion: Dislike them
SQL Protections: Prepared Statements • The only 100% solution. • Period. • Effectively splits data from logic. • Laravel does this (behind scenes) SELECT * FROM users WHERE username=? AND password=?
SQL Protections: Prepared Statements • Common method is substitution via ? SELECT * FROM users WHERE username=? AND password=? •Alternatively, :named SELECT * FROM users WHERE username=:username AND password=:password
Types of SQL Injections • In Band • Classic • Error / Union • Blind • Boolean / Time • Out of Band
SQL: In Band - Classic Error • Information Extraction • Learn database structure
SQL: In Band - Union • Imagine a table of items. • Injection of adding data (union) • Pivot to system tables (easy to identify)
SQL: Blind - Boolean • A method to answer T/F questions • Does the page change based on query? • Helpful when nothing outputting.
SQL: Blind - Timing • Much like Boolean, but time oriented. • SLEEP(1) • Can issue T/F statement • Wait for return
SQL: Out of Band • Strange • Different medium return from request. • Exfiltration via HTTP/DNS/Email
WAF: Web Application Firewall • Popular: ModSecurity • Rules to prevent SQL injection • Not perfect • Works off regular expressions.
Advanced Time
Advanced Technique: Bitwise Operations • Enumeration of a,b,c,d,e,f etc • a = true/false • b = true/false • Enumeration via bit-shifting 00000000 • 0 = true/false • 01 = true/false
Example Time. • Lets assume we found a “ settings ” table • Blind injection, so need to enumerate • (but lets cheat first)
First. We need length
So now what? • We know a length 3 string. • We are assuming alphanumeric • Lets try brute forcing two ways. • Alphabet scan • Bit shifting
Alphabet Scan - First Letter • Request 1 - “a” - Fail • Request 2 - “b” - Fail • Request 3 - “c” - Pass :) • 3 Requests - “ c?? ”
Alphabet Scan - Second Letter • Request 1 - “a” - Pass :) • Too Easy • 4 Requests - “ ca? ”
Alphabet Scan - Third Letter • Request 1 - “a” - Fail • Request 2 - “b” - Fail • Request … - “Fail” • Request 20 - “t” - Pass :) • 24 Requests - “ cat ” :)
Recap: Alphabet Scan • Via true/false questions. • We learned “salt” was “cat” • It took 26 queries to database • (once we started counting)
Bitwise Scan - Intro • We need to know binary. • So what is cat (ASCII)? • c = 99 (01100011) • a = 65 (01100001) • t = 116 (01110100)
Bit-Shifting - Introduction • Shifting “ ? ?? ” 7 bits • Remember 0 is an index • We know 0???????
Bit-Shifting - Next bit • Shifting “ ? ?? ” 6 bits • We know 01?????? • So previous + current = now • So 0 + (1 or 0) = 1 or 0
Bit-Shifting - Next bit • Shifting “ ? ?? ” 5 bits • We know 011????? • So previous + current = now • So 1 + (2 or 3) = 3 or 4
Bit-Shifting - Skip a few steps • Shifting all bit locations of first character • We know 01100011 • We learned “c”. • Took 8 requests.
Bit-Shifting - Rinse and Repeat • We learned “a” - 01100001 • We learned “t” - 01110100
Recap: Bit-Shifting Scan • Via true/false questions. • We learned “salt” was “cat” • It took 24 queries to database • (once we started counting) • So it was quicker.
Advanced Technique: Mega Payloads • If injection working. • Construct query that compounds. • Run out the memory.
Advanced Technique: 2nd Generation • Instead of injection. • Use UGC to insert an injection • Database might react on that • Tough to use unless common product • Forum software, out of box, etc
Funny Injections & Tools
User Generated Injection • Wait till the scanners read this.
Creative Thinking • Can’t get a bill if you have no plate.
Creative Thinking - Backfired • $12,049 in fines. bit.ly/2SWLbRU
Tool: sqlmap • Automate everything we discussed.
sqlmap • Run it against our first example
sqlmap • Enumeration of data quickly.
Concluding • We learned a bit about SQL • We learned injection types • We explored some complex injections • We had some fun
Thanks! connortumbleson.com @iBotPeaches
Recommend
More recommend
